Chapter Six ENSURING MILITARY CAPABILITY: … · To be more explicit, a single 12-man team of terrorists ... For example, Air Force officials at Wright-Patterson Air Force Base told

109

Chapter Six

ENSURING MILITARY CAPABILITY:CONTINUITY OF OPERATIONS

This chapter addresses the third homeland security task area—thecontinuity of military operations in the United States, its territories,and its possessions.

As distinct from the COG operations, discussed in Chapter Five, thistask area of homeland security consists of the continuity of militaryoperations, including

• force protection, primarily for deploying units;

• critical infrastructure protection, i.e., the protection of mission-critical facilities and systems, i.e., the infrastructure necessary forthe Army to carry out its missions; and

• protection of higher headquarters operations, which will help toensure the integrity of the military chain of command.

The importance of this task lies in the following simple truth: Unlessthe Army and other military organizations can ensure the continuityof their own operations, they will be incapable of defending theUnited States and its vital interests at home and abroad and provid-ing military capabilities for other purposes.

THREAT AND RISK ANALYSES

Threats

Conventional and WMD Attacks. Many of the threats requiringdomestic preparedness described in Chapter Four probably apply

110 Preparing the U.S. Army for Homeland Security

here as well, although in this task area one would anticipate a higherprobability of involvement by state actors attempting to wage asym-metric war on the United States by attempting to hobble its ability todeploy military forces, rather than by nonstate or domestic actors.1

Our analysis suggests that we would expect such threats to attack inbreadth rather than depth. What this means is that attacking multi-ple targets separated in time and space could psychologically createthe appearance of a far more formidable adversary than is actuallythe case. To be more explicit, a single 12-man team of terroristsinserted into the United States with four Stinger missiles wouldappear to be less formidable and have a lower shock value than if theteam divided into four groups, each of which simultaneouslyattacked civilian or military aircraft in four different locations.2

Cyber Attacks. One also should add to the list of threats state andnonstate actors inimical to the United States who possess no knownWMD programs or aspirations but appear to have active programs todevelop offensive information capabilities that might be used againstthe U.S. military.3 This is a very dynamic and complex area, and ouranalysis accordingly only can skim the surface. Accordingly, theanalysis that follows will address the issue in relatively broad strokes,supplying data where they are available.

The unclassified literature is somewhat contradictory on the degreeof threat of cyber attack. Our reading is that catastrophic cyber

______________ 1One can construct scenarios, however, in which right-wing groups attack U.S. mili-tary capabilities in the belief that they are in fact attacking efforts to impose a “newworld order” by UN forces about to impose martial law on the United States.2The potential for this type of asymmetric attack against deploying forces has beendemonstrated in numerous war games conducted over the past decade. In fact, inevery Army After Next war game conducted that “played” homeland security, adver-saries consistently attempted to deter, degrade, and disrupt the flow of deployingforces to prevent the U.S. military from arriving in time to accomplish its mission. Fora more detailed review of how potential adversaries might asymmetrically attack U.S.forces during deployment, in transit, and in theater, see the Joint Strategic Review for1999. We are grateful to Rick Brennan for suggesting these points.3Former Director of Central Intelligence John Deutch warned in 1996 that “[w]e haveevidence that a number of countries around the world are developing the doctrine,strategies and tools to conduct information attacks,” and the London Sunday Timesreported in July 1999 that Russian hackers were stealing U.S. weapon secrets (Deutch,1996; Campbell, 1999).

Ensuring Military Capability 111

attacks are not an imminent threat, but over time—and if actions arenot taken to protect against them—the threat could grow.

Consider the transmittal letter of the President’s Commission onCritical Infrastructure Protection, which noted that:

We found no evidence of an impending cyber attack which wouldhave a debilitating effect on the nation’s critical infrastructures.While we see no electronic disaster around the corner, this is nobasis for complacency. We did find widespread capability to exploitinfrastructure vulnerabilities. The capability to do harm—particu-larly through information networks—is real; it is growing at analarming rate; and we have little defense against it. (President’sCommission, 1997a.)

And more recently, Willis Ware of RAND noted:

There is no evidence that the “sky is falling in”; the country is not inimminent danger of massive disruption through infrastructurecyber-attacks. In part, this stems from the natural resilience thecountry has evolved from having to deal with natural disasters andman-caused events of various kinds and magnitudes; in part, fromthe natural responses of organizations to protect themselves againstanything that causes operational intrusions or upsets. (Ware, 1998,p. vii.)

According to the commander of DoD’s Joint Task Force–ComputerNetwork Defense:

The odds of the U.S. being attacked on line by a foreign nation statein some kind of cyber war in the near future are probably pretty low.But the odds of foreign nation states wanting to develop capabilitiesto help them if and when we are adversaries are probably prettyhigh. We need to have the same capability or better. (Wolfe, 1999,p. 1.)

Nevertheless, according to a 1996 study by GAO, the computer sys-tems of the Department of Defense have come under increasingattack over the last several years:

The Department of Defense’s computer systems are being attackedevery day. Although Defense does not know exactly how oftenhackers try to break into its computers, the Defense Information


Systems Agency (DISA) estimates that as many as 250,000 attacksmay have occurred last year [i.e., in 1995]. According to DISA, thenumber of attacks has been increasing each year for the past fewyears, and that trend is expected to continue. Equally worrisomeare DISA’s internal test results; in assessing vulnerabilities, DISAattacks and successfully penetrates Defense systems 65 percent ofthe time. Not all hacker attacks result in actual intrusions intocomputer systems; some are attempts to obtain information onsystems in preparation for future attacks, while others are made bythe curious or those who wish to challenge the Department’s com-puter defenses. For example, Air Force officials at Wright-PattersonAir Force Base told us that, on average, they receive 3,000 to 4,000attempts to access information each month from countries allaround the world.

Many attacks, however, have been very serious. Hackers havestolen and destroyed sensitive data and software. They haveinstalled “backdoors” into computer systems which allow them tosurreptitiously regain entry into sensitive Defense systems. Theyhave “crashed” entire systems and networks, denying computerservice to authorized users and preventing Defense personnel fromperforming their duties. These are the attacks that warrant the mostconcern and highlight the need for greater information systemssecurity at Defense. (GAO, 1996a, p. 2–3.)4

FBI Director Louis Freeh has indicated that cases of commercial,military, and infrastructure-related computer systems hacking inci-dents have doubled every year (Freeh, 1998). On July 25, 1999, Dep-uty Secretary of Defense John J. Hamre was quoted by the LondonSunday Times as saying: “We’re in the middle of a cyber war.”

Anecdotally, in the spring of 1998, during the deployment of forces tothe Persian Gulf in response to Iraqi provocations, Department ofDefense networks reportedly experienced their most widespread andsystematic attacks to date, with 20 major installations’ networkscompromised.5 Teenage hackers were behind attacks on Air Force

______________ 4See also Campbell (1999).5During the attacks, dubbed “Solar Sunrise”:

[T]he defense community and law enforcement agencies struggled tounderstand the nature of the attacks and identify the threat. Theattacks were launched from computers within the United States andoverseas. As it turned out, this incident involved a couple of Califor-


systems in February 1998 (Graham, 1998; CNN, 1998). The 1999“Solar Sunrise” exercise also showed the potential consequences ofcyber attacks, although these were “attacks” carried out by DoDplayers in a larger war game (CNN, 1999b). The trashing of web sitesapparently has become a part of the larger battle for public opinion,although its consequence for military operations seems dubious.6

Nevertheless, attacks in March 1999 were traced to computers inRussia (CNN, 1999a), and attacks that resulted in stolen militarysecrets also have been reported (Agence France-Presse, 1999).

Thus there seems little doubt that defense computers are underincreasing risk of attack, although the evidence on the frequency andseverity of past and current attacks is generally anecdotal rather thanstatistical and therefore difficult to assess.7 Put another way, theunclassified public statements, anecdotal evidence, and empiricaldata in this area are somewhat contradictory.8 One suspects theexistence of a gap between rhetoric and actual experience, in partstemming from the tension, described in Chapter Four, between theneed to prudently alert the public so that they are not complacentabout the threat and the desire to avoid frightening the public.9

An analysis of open-source data on computer incidents revealed thatthe distribution of frequency versus magnitude for cyber attacks takenas a whole follows the by-now familiar pattern of an inverserelationship (See Figure 6.1), with incidents of small or modest con-

_____________________________________________________________ nia teenagers. But “Solar Sunrise” demonstrated an enormous vul-nerability in our unclassified computer systems which neverthelessplay a critical role in management and moving U.S. armed forces allover the globe. (U.S. Senate, 1998.)

6Attacks on web sites presenting the public case in crises and conflicts have beenobserved in India and Pakistan and during the war in Kosovo, which included denial-of-service attacks against the White House website. See Varma (1999) and Messmer(1999).7Or, in the case of the widely cited figure of 250,000 attacks in 1995, the result ofsomewhat liberal interpretations of what constitutes an attack, and a potentiallyquestionable extrapolation on the basis of the experience of a rather small number ofdefense systems8We believe that the Army could make quite good use of classified data, however, ifused as we describe in our methodology.9In any case, we detect more than a little hyperbole in many of these statements.


Fre

quen

cyF

requ

ency

600

500

400

300

200

100

00 10 20 30 40 50 60 70 80 90 100

Duration of incident (days)

Number of sites

800

700

600

500

400

300

200

100

00

19 20181716151413121110987654321

RANDMR1251-6.1

Figure 6.1—Two Measures of Consequence for Cyber Attacks (CERT/CC)

sequence predominating but with long tails containing occasionalincidents of much greater consequence.


The two panels of the figure are built from data from the ComputerEmergency Response Team Coordination Center (CERT/CC) for 1995and convey two different measures of consequence.10

The top panel uses the number of sites involved in an incident toconnote the magnitude of consequence, while the bottom panel usesthe duration in days of incidents.11

The trend data suggest a growing threat. Figure 6.2 presentsCERT/CC trend data on computer incidents, showing the number ofincidents handled, the number of hot line calls received, and thenumber of mail messages handled.

Inci

dent

s ha

ndle

d, h

otlin

e ca

lls

4000

3500

3000

2500

2000

1500

1000

500

0

4500

4000

3500

3000

2500

2000

1500

1000

500

01988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998

Mes

sage

s ha

ndle

d

Incidents handledHot line calls receivedMail messages handled

Figure 6.2

RANDMR1251-6.2

SOURCE: CERT/CC, 1999.

Figure 6.2—Various CERT/CC Measures of Cyber Attacks, 1988–1998

______________ 10The authors wish to thank RAND colleague John Pinder for providing these data,which were used in Howard (1997).11Of course, we would want to monitor a number of other, more-specific measures ofconsequence, such as the number of incidents involving the destruction or theft ofcritical files.


Two of the measures (incidents handled and mail messages received)show fairly consistent annual growth, while the third (hot line calls)shows a decline. How much of the growth results from increases inthe number of attacks and how much it reflects an increasing abilityto detect or willingness to report such attacks is unclear.

Data from the Federal Computer Incident Response Capability(FedCIRC, see Figure 6.3) suggest the number of federal computersecurity incidents has generally been below 100 per month, but theseincidents vary greatly in the number of affected sites, apparentlystemming, in the main, from such computer viruses as Melissa andExploreZip.12

IncidentsSites (000s)

600

500

400

300

200

100

0Nov-98 Dec-98 Jan-99 Feb-99 Mar-99 Apr-99 May-99 Jun-99 Jul-99 Aug-99

RANDMR1251-6.3

Figure 6.3—Federal Computer Security Incidents and Sites13

______________ 12We suspect that the increase over March–April 1999 is attributable to the Melissavirus. According to U.S. News and World Report, hundreds of thousands of computerswere infected by Melissa. To aid in interpretation, CERT/CC’s advisory on Melissa isdated March 27, 1999, while its advisory for the ExploreZip virus is dated June 10, 1999.Of the 59 incidents reported in August 1999, 23 were attributed to reconnaissanceefforts, 10 were of unknown type, nine were information requests, six were root com-promises, five were viruses, four were denials of service, two were user compromises.See Mitchell (1999).13Monthly data are available from http://www.fedcirc.gov.


Data from the Army’s Land Information Warfare Activity’s (LIWA’s)Army Computer Emergency Response Team (ACERT, see Figure 6.4)show an increasing frequency of attacks, although again, it is impos-sible to separate actual increases from improved detection andreporting capabilities.

Taken together, while the open-source data are somewhat incom-plete, relatively compelling evidence suggests increasing incidentsand numbers of affected sites.

Weapons

Conventional Weapons and WMD. It is entirely possible that WMDcould be used, but significant impact could be felt even in uses ofsmall arms or other portable weapons. In particular, because of theirportability and lethality, three types of threats would seem partic-ularly attractive to enemy special operations forces or saboteurs benton disrupting U.S. military operations, facilities, or systems:14

Act

ual i

ntru

sion

s

50

45

40

35

30

25

20

15

10

0

5

FY 1997 FY 1998 FY 1999

2,500

2,000

1,500

1,000

500

0

Tota

l inc

iden

ts

Actual intrusionsTotal incidents

47

27

234

957

2,350

42

RANDMR1251-6.4

Figure 6.4—Incidents and Actual Intrusions of Army Systems15

______________ 14Some attacks on the United States may not be terrorism but rather acts of warbrought to the U.S. homeland.15Year-to-date data for 1999 are as of June 1999.


• Man-portable air defense missiles, such as Stingers, are of signif-icant concern, since they could be used either against deployingairlifters or commercial carriers, and in either case result in hun-dreds of victims.16

• Rocket-propelled grenades (RPGs), which also could be usedagainst low-flying aircraft as well as against troop convoys.

• Mortars, which were used effectively in an attack on a Sarajevomarketplace and could easily be used against a fort or Air Forcebase or against a port facility.

Cyber Attacks. While mission-critical systems could be attacked byconventional means, it seems more likely to us that, with the propertraining, planning, and preparation, a committed adversary couldlaunch computer attacks on mission-critical computer systems andnetworks.17

Potential Targets

Potential targets are divided into four general classes: deployingforces, mission-critical facilities, mission-critical systems, and higherheadquarters.

Deploying Forces. In the context of a larger military action, earlydeploying forces will be among the most attractive targets for asym-metric attacks. The reasoning is that such forces can halt invasionsand stabilize the situation on the ground in anticipation of counter-offensive operations. By this reasoning, a campaign against deploy-ing Army units would probably preferentially target such earlydeploying forces as the Ready Brigade of the 82d Airborne Division

______________ 16According to press reporting, in 1989 DoD estimated that between 200 and 500Stinger missiles were in the hands of the Afghan mujahedin (Weiner, 1994a).17The reason we judge cyber attacks on critical computer systems and networks asmore likely than conventional attacks is that the difficulties and costs of mountingcomputer attacks appear lower than conventional attacks on critical nodes and com-munications systems, and the opportunities for deception and deniability appearhigher. Indeed, recent experience suggests that cyber attacks are far more prevalentthan conventional attacks on mission-critical systems and networks. In the event thatan adversary were willing to use special operations forces or terrorist capabilities forconventional attacks on military targets in the United States, however, mission-criticalcomputer systems and networks could prove to be attractive targets.


and advance echelons of mechanized and armored forces.18 Theseattacks probably would be directed at such power projection plat-forms as airfields where U.S. forces are deploying and probablywould aim to kill large numbers of troops through such actions asdowning one or more airlifters.

Mission-Critical Facilities. For the Army’s purposes, continuity ofoperations in the sense of force protection and the continuousoperation of mission-critical facilities and systems seems most likelyto be placed at risk by attacks on the forts that maintain deployableforces, the air and sea ports of embarkation (APOEs/SPOEs), and keydepots and ammunition facilities.19

Mission-Critical Systems. Continuity of operations, in the sense ofCritical Infrastructure Protection of mission-critical systems(computers, networks, and communications systems), could bejeopardized either by attacks using small arms and other lightweapons, those using mortars or RPGs, or through the use of so-called “cyber attacks.”20

The Year 2000 remediation problem provides insight into the natureof the potential target set of mission-critical systems. According toSecretary of Defense William S. Cohen, the DoD has

10,000 separate computer systems involving 1.5 million individualcomputers which are spread at hundreds of locations across theglobe. Of these, over 2,000 systems are so-called mission-critical—communication, navigational, targeting systems—that absolutelymust work for the military to meet its missions on January 1, theyear 2000. In fact, over one-third of the government’s critical sys-tems are in the Department of Defense.21

______________ 18By the same logic, Air Force and other early deploying airpower will be preferredtargets, since they will be essential to the halt phase of a major theater war. Marine AirGround Task Forces (MAGTFs) also could be attractive targets for asymmetric attacks.19See Appendix I for a listing of illustrative mission-critical facilities. The Army shouldevaluate the list to determine priorities, e.g., on the basis of whether units or facilitiesare critical to early deployments.20See Appendix I for a listing of illustrative Army mission-critical systems that couldcome under attack. The list might be too inclusive. The Army should constantly eval-uate which systems are mission-critical ones.21Of these, 198 are mission-critical, nuclear-related systems (DoD, 1999d).


According to the GAO, as of February 1998, the Army had 376mission-critical systems and nearly 20,000 nonmission-criticalones;22 DoD mission-critical systems totaled 2,915, and DoD non-mission-critical systems totaled 25,671, and total networks wereestimated at 10,000 (GAO, 1998a, pp. 1 and 10).

Higher Headquarters. To be sure, the continuity of higher head-quarters operations ensures the integrity of command and control,but it also provides the connecting link between the continuity ofmilitary operations and the continuity of government.23 For bothreasons, threat and risk assessments should be used to establishwhat actions should be taken to assure the continuity of headquar-ters operations.

Net Assessment

With the possible exception of cyber threats—where attacks appearalready to be under way but where data on the frequency and magni-tude of consequence of these attacks are notably lacking—we believethat most threats to continuity of operations are at best future, notimminent ones.

As described in Chapter Four, the bars to WMD appear to be ratherhigher than often is acknowledged, but it seems probable that U.S.adversaries at some point will acquire these weapons. Although suchweapons could be used to disrupt U.S. future military operations,other weapons, ranging from small arms to man-portable missiles,rocket-propelled grenades, and mortars appear more likely.

Thus, as with the domestic preparedness task area and as will bediscussed in the remainder of this chapter, our recommendation isthat efforts should begin to, at a minimum, assess more carefully andplan against these threats, while making selected investments tomitigate the threats to key warfighting and supporting units,

______________ 22The GAO reported that the Army had a total of 18,731 nonmission-critical systems.See GAO (1998c, p. 8).23We consider higher headquarters to include OSD and OJCS; Headquarters,Department of the Army; the headquarters of the various CONUS armies; the head-quarters of CONUS-based CINCs; and other, comparable high-level commands.


mission-critical facilities and systems, and higher headquarters.Larger investments should await more complete analysis.

Threat Campaigns

If one takes seriously the possibility of asymmetric attacks againstthe homeland in response to the deployment of U.S. conventionalmilitary capabilities or in an act of regime preservation to coerce theUnited States to cease military operations before the total defeat ofthe adversary, then it is relatively easy to envision a determinedadversary undertaking an extended campaign against the UnitedStates.

In such a situation, it is possible to envision simultaneous attacks onmultiple military targets, a sequence of attacks against such high-payoff targets as deploying airlifters, or a differentiated strategy inwhich attacks on military targets are interspersed with attacks oncivilian targets. Such a campaign could easily tax civilian and mili-tary capacity. It might do this, for example, by requiring extendedalerts or by exhausting one-of-a-kind capabilities.24

Put another way, although the threats and risks now seem relativelyremote and with the capacity for the use of WMD yet to be proved, afuture, sustained conventional campaign against U.S. military forcescould prove quite stressing.

PERFORMANCE MEASURES

Performance measures for continuity of operations and COG activi-ties appear to be somewhat similar, although the specific activitiesdepend on which aspect of this problem set is considered.

Prevention Activities

Because the threats are assumed to overlap with those in the domes-tic preparedness task area—state and nonstate sponsors of terrorismand disaffected domestic groups—the same sorts of prevention-

______________ 24For example, there is only one USMC Chemical Biological Incident Response Force(CBIRF).


based performance measures apply, e.g., the number of actualattacks, the number of known, credible attack plans discovered, andthe number of preventions.

Preparedness Activities

Threat and risk analyses would lead to a prioritization of potentialmission-critical targets, whether focused on the continuity of head-quarters operations, critical facilities, or critical systems and net-works. A wide range of preparedness activities could then be under-taken, including improving defenses (e.g., hardened facilities,improved network security for systems) and contingency planningfor relocation.

Measures for preparedness activities would aim to reduce the level ofdamage and the time that any set of mission-critical assets wasunavailable. These measures could include

• percentage of mission-critical facilities that have a high capabil-ity to withstand attack (e.g., blast effects or introduction chemi-cal or biological attack);

• expected maximum time that normal operations of mission-critical organizations or facilities are likely to be disrupted;

• expected maximum time mission-critical facilities are unavail-able; and

• expected maximum time until mitigation or reconstitutioncapabilities are deployed.

Response and Reconstitution Activities

Some of the operational measures associated with responses in thedomestic preparedness area also would apply to response activities.Added to these, however, would be the speed at which headquarterscould be relocated to areas of lower risk.

In addition to response performance, planners also need to considerperformance in terms of the speed with which basic functions andservices can be restored. Perhaps the best measure would be time,i.e., the time until operations can resume at their normal tempo.


Threat Campaigns

An additional measure of performance would be the ability to sustainthe full range of continuity operations over a sustained threat cam-paign that involved multiple attacks in dispersed locations.

NOTIONAL PERFORMANCE LEVELS

We believe technical analyses and policy deliberations could lead tolower or higher levels than those suggested below but offer the fol-lowing notional performance levels for the continuity of operationstask area to provide a flavor of the levels we have in mind:

• For Force Protection of deploying forces, the capability ofdeploying forces to suffer no more than one half-day delay inmobilization and deployment as a result of attacks on fort-to-port movements or mission-critical facilities and systems. Webelieve that limiting delays to a half day would minimize the flowof forces to a military contingency.

• For mission-critical facilities, the ability to reconstitute andrestore operations within one day.

• For mission-critical systems, networks, and communicationssystems, an ability to detect and isolate or terminate all externalintrusions within minutes of penetration and an ability to recon-stitute mission-critical systems, networks, and databases withinthree hours of penetration.

• For Continuity of Headquarters Operations, an ability to recoverand reconstitute headquarters and mission-critical functionswithin 12 hours of an attack.

• For threat campaigns, an ability to sustain continuity operationsactivities over at least 60–90 days in the face of enemy attacks.

PROGRAM DESIGN ISSUES

Force Protection

In most cases, force protection is organic to units and their bases,i.e., the commander for each unit and base is responsible for meeting


force protection needs.25 Table 6.1 describes the sorts of capabilitiesavailable to support enhanced force protection activities.

The DoD, furthermore, has embarked on a DoD Force ProtectionInitiative:

The Secretary of Defense has tasked the [Chairman of the JointChiefs of Staff] to review the force protection capabilities of U.S.forces worldwide. Several DoD Agencies and OSD organizations areactively involved in this initiative. Currently, each Service isresponsible for protecting its own personnel and facilities. Near-term force protection enhancements are being fielded through thePhysical Security Equipment Action Group under the guidance ofthe Physical Security Equipment Steering Group (chaired by theDirector of Strategic and Tactical Systems, PDUSD (A&T) (S&TS))and funded under the OSD Physical Security Equipment Program.

Table 6.1

Force Protection Capabilities

Type of Event

HE CHEM BIO RAD NUC CYBER

Operational Capabilities

Installation alert system andphysical security measures X X X X X

Installation military police X X X X XTenant units and their security

SOP X X X X XLocal police, fire, and rescue

services X X X X XLocal FBI X X X X X XATF X X X XCivilian port and airport police X X X

Reachback Capabilities

USACOM J-2Installation G-2 X X X X X XDIA X X X X X XFBI intelligence X X X X X XState and local police X X X X X

______________ 25The dictum of “mission first, people always” applies.


These efforts are being coordinated with the technology develop-ment activities of the [Technical Support Working Group Counter-terrorism Technical Support] TSWG/CTTS. DSWA is supporting theinitiative by conducting force protection assessments of facilitiesworldwide, fielding assessment teams to identify and evaluate forceprotection shortfalls, and assisting commanders in rectifying theidentified shortfalls. The CBD Program is also assisting in thiseffort. The CJCS has approved DSWA’s proposed methodology andconcept of operations for conducting the assessments. Using ideasand inputs to fulfill CINC and Service requirements to address forceprotection shortfalls. Key milestones are to i) complete 50 assess-ments by the end of calendar year 1997 and complete 100 assess-ments by the end of 1998; ii) continue to apply the latest technologyto achieve enhanced force protection; and iii) define a prioritizedtechnology R&D plan to address key force protection shortfalls.(CPRC, 1997, Section Eight, “DoD, DOE, and U.S. Intelligence Pro-grams for Countering Paramilitary and NBC Threats.”)

Although the threat of such an eventuality is currently judged to below, in an asymmetric enemy campaign against deploying forces andtheir power project platforms, the organic assets that provide forceprotection could easily prove inadequate. As described above, par-ticular concern is warranted about the vulnerabilities and force pro-tection of early deploying forces, particularly when they are massedat air bases or seaports, or on board airlifters.

The Army should work with the other services, predominantly the AirForce and Navy, to establish what sorts of enhanced force protectionmight be possible to reduce the vulnerability of deploying forces andto clarify the respective roles of the services for providing this pro-tection. Particular attention should be given to the vulnerability ofAPOEs and SPOEs and to the vulnerability of airlifters as they egressfly-out zones adjacent to air bases. The Army and Air Force shouldjointly explore the trade space associated with alternative conceptsfor enhancement of force protection (e.g., additional security forcesversus equipping airlifters with decoys, chaff, or other counter-measures).


Continuity of Operations

Table 6.2 describes what appear to us to be the key continuity ofoperations capabilities in the National Capital area.26 These capa-bilities include a host of DoD, joint, and service activities that couldplay important roles in the continuity of operations task area.27

Although these capabilities are judged to be adequate under normalcircumstances, it seems likely that they would be greatly stressed by aprolonged enemy asymmetric campaign against deploying forcesand mission-critical facilities.

Mission-Critical Facilities

In 1997, DoD-wide efforts to improve the security of mission-criticalfacilities included an OSD Joint Physical Security Equipment Pro-gram that aimed to undertake RDT&E that would enhance the secu-rity of forces and mission-critical facilities:

This program consolidates related DoD Joint Service and AgencyRDT&E programs developing advanced technologies for protectingcritical, high-value military assets from paramilitary, terrorist, intel-ligence, and other hostile threats. Efforts focus on protecting per-sonnel, facilities, and high-value weapon systems, including nuclearand chemical weapon systems and storage facilities. This programis serving as the focal point for near-term upgrades to U.S. facilitiesunder the Force Protection initiative discussed above.

Key accomplishments since last year’s report include: i) completionof numerous qualification tests and evaluations of integrating videomotion detection capabilities into the Tactical Automated SecuritySystem; ii) installation of an interior Mobile Detection AssessmentResponse System in a Naval facility for operational evaluation; iii)installation of a Waterside Security System at Submarine Base KingsBay, Georgia; iv) testing of promising commercial off-the-shelftechnologies for the Portable Explosive Detection project; and v)

______________ 26Many of these are deployable to locations outside of the District of Columbia.27Service headquarters also should be included.


Table 6.2

Continuity of Operations Capabilities in the National Capital Area

Type of Event

HE CHEM BIO RAD NUC CYBER

Operational Capabilities: DoD

Defense Protective Service X X X X XDefense Information Systems

Agency X XDefense Communications

Agency X X X X X XCriminal Investigation

Command X X X X X XMilitary District of Washington

MPs X X X X XArmy Computer Emergency

Response Team (ACERT) XUSMC/Navy security

detachments X X X X X

Other Operational CapabilitiesNational Capitol Region

hospitals and clinics X X X X X

Reachback: DoD

INSCOM X X X X X XDIA X X X X X XJTF-CND X X X X X XWalter Reed AMC X X X X XCriminal Investigation

Command X X X X X XDefense Information Systems

Agency X XDefense Communications

Agency X X X X X X

NOTE: This chart treats only those Military District of Washington assets andNational Capitol Region assets that might be involved. From the perspective of anoutsider, any of the physical attacks and the responses to them would involve theagencies that normally respond to a domestic preparedness event.

demonstration of prototype sensor hardware for various detectionsystems. (CPRC, 1997, Section Eight, “DoD, DOE, and U.S. Intelli-gence Programs for Countering Paramilitary and NBC Threats.”)

The Army should perform the necessary threat and risk assessmentsto assist in developing formal risk management programs that can be


used as a basis for prioritizing and allocating resources, and theseassessments probably should focus on mission-critical facilities athome, such as power projection platforms.

Mission-Critical Systems

Although the threat data basically conform to the sort of distributiondescribed in Chapter Three, the threat of cyber attack requires aslightly different interpretation: Rather than seeking to prepare forevents of a given magnitude, the aim instead is to keep the conse-quences below a specific threshold.

Preferential attention and resources should be given to mission-criti-cal systems that support power projection and the employment ofmilitary forces to conduct assigned missions.28 As in other areas ofemerging threat, the GAO has advocated the use of threat and riskassessment and risk management and cost-effectiveness to guideDoD responses to the cyber threat.

In addition, since absolute protection is not feasible, developingeffective information systems security involves an often-compli-cated set of trade-offs. Organizations have to consider the (1) typeand sensitivity of the information to be protected, (2) vulnerabilitiesof the computers and networks, (3) various threats, includinghackers, thieves, disgruntled employees, competitors, and inDefense’s case, foreign adversaries and spies, (4) countermeasuresavailable to combat the problem, and (5) costs.

In managing security risks, organizations must decide how great therisk is to their systems and information, what they are going to do todefend themselves, and what risks they are willing to accept. Inmost cases, a prudent approach involves selecting an appropriatelevel of protection and then ensuring that any security breachesthat do occur can be effectively detected and countered. (GAO,1996a, pp. 1–2.)

______________ 28The GAO indicated that, DoD-wide, resources for Y2K remediation efforts werebeing spent on nonmission-critical systems even though most mission-critical sys-tems had not been corrected (GAO, 1998a, p. 2). An illustrative list of potentialmission-critical systems can be found in Appendix I of this report.


The GAO further recommends a range of actions that can be taken toreduce threats and risks, with decisions ultimately to be based on theanalytic or business case that results from risk assessments.

This generally means that controls be established in a number ofareas, including, but not limited to: a comprehensive security pro-gram with top management commitment, sufficient resources, andclearly assigned roles and responsibilities for those responsible forthe program’s implementation; clear, consistent, and up-to-dateinformation on security policies and procedures; vulnerabilityassessments to identify security weaknesses; awareness training toensure that computer users understand the security risks associatedwith networked computers; assurance that systems administratorsand information security officials have sufficient time and trainingto do their jobs properly; cost-effective use of technical and auto-mated security solutions; and a robust incident response capabilityto detect and react to attacks and to aggressively track and prose-cute attackers. (GAO, 1996a, pp. 1–2.)

In the area of cyber threats, prevention, preparedness, and responseactivities should focus on mission-critical systems, i.e., those systemsessential to undertaking or supporting military operations and otherkey missions.

Unfortunately, the absence of reliable data makes it impossible toestablish where the greatest payoffs might be. Consider the follow-ing instructive example: Most of the discussion in the broader policyenvironment is focused on “cyber attack” by state and nonstateactors, and great interest lies in developing advanced technologies todetect and mitigate these threats. However, it generally has beenestablished in the private sector that insider misuse is a more fre-quent problem than “cyber attacks” from outside organizations.29 If

______________ 29In the 1999 Computer Security Institute/FBI survey of computer crime, 24 percent ofthe organizations reported system penetration by an outsider, while 76 percentreported insider abuse of net access and 43 percent reported unauthorized insideraccess to information. Seventy-nine percent of these organizations judged as unlikelythe possibility of foreign government involvement, and 70 percent judged as unlikelythe possibility of foreign corporation involvement. Nevertheless, the number ofreports of system penetration by outsiders, unauthorized access by insiders, and theftof proprietary information rose from 1998 to 1999. See CSI/FBI (1999) and Depart-ment of Defense (1999c).

A study of the threat of insider misuse in the DoD has recently been published.


DoD experience is at all comparable, it would suggest that, ratherthan emphasizing external attacks, the greatest emphasis should beplaced on ensuring that routine administrative and security controlsare being effectively implemented to guard against this sort of mis-use.30

The Department of Defense has taken some actions already on thethreat of computer attack, including removing potentially sensitiveinformation from web-accessible locations (Hamre, 1998b), reducingto six the number of “portals” through which Internet users canaccess DoD computers (Bender, 1999), and standing up a computernetwork defense center, a Joint Task Force-Computer NetworkDefense (JTF-CND), and a DoD Computer Emergency ResponseTeam (DoD CERT) (Keeter, 1999, p. 7; Wolfe, 1999, p. 1).31

Within the Army, in addition to the consolidation of InformationAssurance activities in LIWA and the Army Computer EmergencyResponse Team (ACERT), an active-duty/reserve component initia-tive to strengthen the Total Army’s information operations posture isunder way. The plan is to expand LIWA’s ability to respond to emer-gencies using reserve component CERT/Vulnerability Teams as wellas providing tactical commanders with trained reserve componentinformation operations (IO) sections to plan, coordinate, and exe-cute “full spectrum information operations” (DAMO-SSW, 1999).

______________ 30As reported by the National Research Council: “Troops in the field did not appear totake the protection of their C4I systems nearly as seriously as they do other aspects ofdefense.” See National Research Council, Realizing the Potential of C4I: FundamentalChallenges, reported in Saldarini, undated. Saldarini reported the following:

[r]eviewers observed instances of insufficient security such as stickynotes with important systems data attached to computers. In otherinstances, computers holding sensitive information were found to bevulnerable to hostile applets from the World Wide Web. The reportattributed slack computer security to a DoD organizational cultureaccustomed to mounting offensive attacks. Cyber-terrorist threatsinstead must be countered with defensive action.

For example, it may well be that 95 percent of the attacks can be prevented by simplymaking sure that system administrators disable accounts when users leave an organi-zation, that system-level passwords are changed routinely, and that other, similar low-tech measures are taken.31The DoD CERT reportedly consolidated the functions of two earlier teams: ASSIST,which monitored intrusions and provided responses to the attacks, and DIAMOND, agroup that surveyed past attack data to enhance future network security.


The ARNG has launched a 15-state Information Operations pilotprogram that includes nine CERTs with six at the state level, two indirect support of LIWA, and one CERT located at the National GuardBureau (NGB). Additionally, nine Tactical IO Sections (four divisionlevel and five for enhanced brigades); four Vulnerability AssessmentTeams (VATs), two of which will be in direct support of LIWA and twosupporting National Guard networks and tactical units; and five FieldSupport Teams have been established. The ARNG’s goal in FY 2000was to establish ARNG CERTs at the NGB and in each state; createfive field support teams and four VATs in support of the JTF/theatercommanders and warfighting exercises; and establish IO sections inall eight combat divisions and in all 15 enhanced brigades byDecember 2000 (DAMO-SSW, 1999). The USAR’s aim for FY 2000was to establish three fully mission-capable IO Centers and a LIWAEnhancement Center (DAMO-SSW, 1999).

A number of serious efforts have gone into providing detailed rec-ommendations on reducing the exposure of systems and networks tothreats.32 Although choices should be guided by formal threat andrisk assessments, and cost-effectiveness and tradeoff analyses, thefollowing examples will provide a sense of the range of possibleactions:

• Improving data on incidents of cyber attack, including capabili-ties to log suspect activity and analyze these data to discernemerging patterns of activity that need to be addressed.33 Insuch a case, there might be tradeoffs between monitoring capa-bilities and computer performance for legitimate users.

• Prioritizing information assurance efforts to invest preferentiallyin efforts to protect mission-critical systems at highest risk.

______________ 32For example, the Defense Science Board (1996) provided 13 overarching categoriesof recommended actions and 50 specific actions to improve the defensive informationwarfare capabilities of the DoD. See Appendix J of this report. The President’sCommission on Critical Infrastructure Protection (1997a, pp. 60–62) provided theoutlines of a strategy that included activities in policy formulation; prevention andmitigation; information sharing and operational warning; counteraction (incidentmanagement); and response, restoration, and reconstitution (consequence manage-ment). See Appendix K for a listing of these activities. Also see Ware’s (1998) recom-mendations and the recommendations in Department of Defense (1999c).33According to press reporting, this is one of the functions being performed by theDoD CERT and possibly Army CERT.


• Performing risk assessments and developing realistic contin-gency plans for critical systems and activities in the event thatservice is disrupted.

• Removing mission-critical systems from Internet-accessibleservers or placing them on less vulnerable platforms.34 In thiscase, the tradeoff would include the costs of having to create orhave users rely on secure systems for unclassified computing onmission-critical systems.

• Routine efforts by system administrators to remove old accounts,to change all system-level passwords, and other administratorfunctions that can reduce vulnerabilities.

• R&D in furtherance of better capabilities to detect and trackintrusions and insider misuse, to locate the intruders, and toterminate these sessions. Cyber-counterattacks and FBI actionare also being used.35

In particular, the Army should continue to develop a more compre-hensive and reliable incident data collection effort to assist in under-standing the nature of the threats and risks it faces.36 Such an effortwould seek to develop taxonomies to facilitate threat and risk assess-ments and make possible a “divide-and-conquer” approach to targetthe highest-priority threats and risks with cost-effective solutions.We believe the best strategy would be the one that

• defines Army-wide, given the potential for inconsistent execu-tion in information assurance activities, which systems aremission-critical and which are to have some sort of centralizedexecution of information assurance activities;37

______________ 34The Army reportedly has switched from Windows NT to Mac OS-based servers for itshome page (“Tired of Hacks,” 1999).35Pentagon computers reportedly responded to an attack in the form of a flood ofrequests by “flooding the browsers used to launch the attack with graphics andmessages, causing them to crash” (Schwartau, 1999). The FBI also has begun raidinghackers’ homes (CNN, 1999c).36ACERT and LIWA have the beginnings of such an effort.37Efforts to ensure system security could be centrally executed, for example, by asecurity manager associated with each mission-critical system, who would assure itssecurity by validating the dispersed base of user sites.


• establishes the necessary training and procedures to ensure thatroutine administrative actions (e.g., disabling of old accounts,changing system passwords, installing patches for newly dis-covered vulnerabilities, installing upgraded security software)are taken;

• on the basis of cost-effectiveness and tradeoff analyses, enablesdecisions on which systems also should benefit from otheractions, e.g., moving the system from an unsecured network(telephone or web-accessible) to a more secure (e.g., NIPRNET orSIPRNET) network, installing additional detection and monitor-ing software; and

• continues to invest in long-term software RDT&E efforts todevelop code that can substantially reduce the risk to mission-critical systems.

Threat Campaigns

As described above, an extended threat campaign that attacked dis-persed targets could exhaust capabilities and erode readiness to pre-vent or respond to still other attacks. Accordingly, an importantcapacity issue is the rotation base that might be required. In fact, thepossible future need for a rotation base might be one of the mostimportant arguments in favor of conversion of the Guard to home-land security functions.

BUDGETING ISSUES

Federal Spending

Because federal funding is reported in governmentwide aggregates, itis exceedingly difficult to establish the funding levels associated withDoD and Army continuity of operations programs.

It is known, for example, that the President’s FY 2000 budget includ-ed $206 million to protect federal government facilities (WhiteHouse, 1999a); and $1.464 billion to address critical federal infra-structure protection (White House, 1999a), including


• $500 million for a Critical Infrastructure Applied Research Initia-tive;

• $2 million for intrusion and detection systems;

• $8 million for Information Sharing and Analysis Centers (ISACs);and

• funding for a “Cyber Corps” to respond to attacks on computernetworks (White House, 1999a).

In the area of threats to computer systems and networks, the GeneralServices Administration, the Critical Infrastructure Assurance Office,the National Security Agency, and the FBI’s National InfrastructureProtection Center are developing a Federal Intrusion Detection Net-work that will provide a common center for response to cyber attackson federal departments and agencies. The system reportedly isbased on the DoD’s incident-reporting network, which is said to befurther along than civilian agencies’ efforts (Frank, 1999). Morerecently, the Clinton Administration offered a revised plan that, itwas hoped, would raise fewer fears about on-line privacy (WhiteHouse, 1999c; O’Harrow, 1999, p. A31).

The Senate Armed Services Committee has reported that DoD-wideinformation assurance activities are underfunded:

The committee notes the important steps taken by the administra-tion and the Department to secure critical information infra-structures. In particular, DOD has established a Task Force forComputer Network Defense, a Defense-wide Information Assur-ance Program, and an integrated working relationship with theNational Infrastructure Protection Center at the Federal Bureau ofInvestigation. Notwithstanding these positive steps, significantfunding deficiencies remain in the Department’s fiscal year 2000budget request and the FYDP for information assurance and relatedmatters.

During a hearing on March 16, 1999, the Assistant Secretary ofDefense for Command, Control, Communications, and Intelligence(C3I) stated that a $420.0 million increase to the fiscal year 2000budget request and a $1.9 billion increase to the FYDP would berequired for information assurance programs. These funding short-falls are of great concern to the committee. Therefore, the commit-tee recommends additional funding in this area and provision that


would strengthen the Department’s information assurance pro-gram and provide for improved congressional oversight. (U.S.Senate, 1999, pp. 7–8.)

In large part, this funding shortfall appears to have been because theCritical Asset Assurance Program (CAAP), which was slated toaddress the security of facilities and systems, essentially was anunfunded mandate (“DoD: Infrastructure,” 1999, p. 1).38

As of late summer 1999, the DoD planned to create a new program toreplace CAAP, and was weighing additional funding for infra-structure protection;39 including increased funding for R&D aimed atimproving detection and reducing the vulnerability of defensecomputer systems.40 The Senate Armed Services Committeeapprovingly cited the ASD (C3I)’s claim that a $420.0 million increaseto the FY 2000 budget request and a $1.9 billion increase to the FYDPwere required to address information assurance problems (U.S.House of Representatives, 1999b, pp. 7–8).

This suggests to us that DoD (and the Army) may be faced not somuch with the question of how it will pay for information assurancebut rather what the priorities and allocation of resources should beto protect its computer systems and networks. As described earlier,it seems that justifications for programs to mitigate threats increas-ingly will need to rely on formal threat and risk assessments andcost-effectiveness analysis.

Army Spending

The Army also tends to deal in budgetary aggregates when spendingon the security of systems and facilities is concerned. These datasuggest that Army-wide spending on security programs will increase

______________ 38The CAAP ultimately was canceled in August 1999.39The report suggested that one option under consideration was to put $149 million inadditional funding into the FYDP for information assurance activities.40This may include a spending increase for a DARPA demonstration project on acomputer system concept that employs random network paths and computer redun-dancy techniques to reduce the vulnerability of military information technology sys-tems (U.S. Senate, 1999, p. 227).


through FY 2001, while spending on information security is hoveringaround $40 million annually.41

CONCLUSIONS

The analysis provided in this chapter has suggested that the conti-nuity of operations task area consists of three principal activities:force protection for deploying forces, the protection of mission-criti-cal facilities and systems, and the continuity of higher headquartersoperations.

Our analyses suggest that, although the threats seem remote, it isprudent to begin planning now to ensure the continued security ofArmy forces, facilities, systems, and higher headquarters and, in thecase of computer systems and networks, actually make investments.In other words, planning should begin for additional force protectioncapabilities, although acquisition of additional capability in otherthan cyber areas should be delayed until formal threat and riskassessments and cost-effectiveness and tradeoff analyses revealwhere the greatest leverage is to be found. In the case of computersecurity, investments also should have an analytic basis.

In the area of force protection, it may be desirable to plan for morerobust monitoring and surveillance capabilities near key forts, ports,and airfields, as well as capabilities for assuring the safety of fly-outzones and air corridors. It is easy for us to imagine hundreds ofdeaths resulting from a missile attack on a departing airlifter, as wellas the cessation of deployments until security is established.

Multiple attacks within CONUS against civilian and military targetsduring a wartime mobilization also could stress low-density assetsthat have dual missions of warfighting and homeland security (e.g.,the TEU, but also chemical units). In such a circumstance, militarycommanders could be confronted with the need to leave behind cer-tain low-density units for homeland security activities that also

______________ 41Security Programs (BA 4) constituted $372 million in 1998, $402 million in 1999, $427million in FY 2000, and $439 million in FY 2001, while spending on InformationSecurity in the Other Procurement, Army, category, was $26 million in FY 1998, $44million in FY 1999, $40 million in FY 2000, and $42 million in FY 2001 (AssistantSecretary of the Army, 1999a, pp. 40–41; 1999b, p. 19).


would be needed for force protection in theater (Joint Chiefs of Staff,1999).

In the area of protecting mission-critical facilities and systems, it isnecessary to begin with an end-to-end analysis of key missions andthe facilities and systems essential to the accomplishment of thesemissions and those that are not. It also appears to be critical to havecentralized coordination of risk mitigation efforts, to ensure that no“weak links” are in the chain that result from varying interpretationsof guidance. As suggested by the FedCIRC data, a fairly large numberof computer security incidents appear to have been reconnaissanceefforts to identify and probe vulnerabilities. Such incidents can beused to target remediation efforts for mission-critical systems.

In the area of protecting higher headquarters operations, security,relocation, and reconstitution plans should be reviewed for theiradequacy in light of the potentially emerging threats.

As was noted at the beginning of the chapter, the continuity of mili-tary operations remains one of the cornerstones of homeland secu-rity because, without it, the Army’s ability to accomplish its assignedmissions could be compromised. Because resources are likely to belimited, however, the Army should make every effort to ensure thatits security investments—whether directed at protecting forces,mission-critical facilities or systems, or higher headquarters—areprioritized based on formal threat and risk assessments and cost-effectiveness and tradeoff analyses that identify where the greatestleverage is to be found.

The next chapter considers the final homeland security task areacovered in this study—border and coastal defense.

Documents

Chapter Six ENSURING MILITARY CAPABILITY: … · To be more explicit, a single 12-man team of terrorists ... For example, Air Force officials at Wright-Patterson Air Force Base told